I’ve been trying to get direct connections with tailscale for weeks now, and can’t seem to make it happen.
I have spectrum internet at home, opnsense firewall, running tailscale (as an exit node) on a ubuntu machine (not on the opnsense box).
I can connect via relay 100% of the time, so that’s great. But never direct.
I’ve tried all of the following, but always only get relay connections:
turning on NAT-PMP on opnsense
Manually forwarding UDP/41641 to the tailscale ubuntu server
setting outbound NAT to static for the tailscale ubuntu server
Always relay - from my work laptop at work, from my cell phone on Verizon, from my relatives house.
I assume the issue is on my ubuntu/exit node, as I would think the verizon connection at least would have been “open enough” to get direct connections.
I’m out of things to try at this point . Any suggestions???
As an adder… I setup a tailscale docker container on Unraid as a router + exit node, and it looks like I can get direct connections to it. No changes on the opnsense side - NAT-PMP still turned on. Not sure why.
Wonder if I have an ubuntu setting wrong somewhere.
Edit, never mind. Everything is back to using relay again. Blah.
I really like the simplicity of tailscale, but not sure I want to live with the speed hit of using relays vs a direct manually configured wireguard connection.
A lot of it has to do with the type of connection that you have. LTE networks for instance use a type of CGNAT that I have not been successful in getting a direct connection through.
If you have ports assigned on both sides, and you’re not behind a CGNAT in the middle, then you should be able to get a direct connection. Note that the first few packets will always go over DERP while it negotiates a new connection. If you run tailscale ping 100.x.x.x to one of your other nodes, it should be communicating directly by the time it finishes if nothing is blocking that.
If you want to email your tailscale ip to support@tailscale.com I can take a look at what specifically might be preventing your connection.
Thanks for the feedback. What I’ve learned is that:
I can get a direct connection from my cellphone to my exit node with no issues (Verizon is my carrier)
I can never get a direct connection from my work computer to exit node. Pinging the device from the exit node always says “direct connection not established”. It is possible/likely that my work’s NAT is just goobering things up. I can live with that though.
I signed up for the Personal Pro subscription to try and do my part in helping fund development. Thanks for the great product!